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1. INTRODUCTION 

The usage of the internet of things (IoT) has expanded substantially in recent years, as with the 
increasing of cybersecurity concerns. Cybersecurity has become a serious concern for institutions and 
businesses of all kinds, with the quantity and sophistication of attacks increasing at an alarming rate [1]. Internet 
of things prototypes may be used for a variety of reasons and installed in a variety of locations depending on 
the used cases. On deployment, the size of these devices can range from microscopic to massive, carrying the 
most critical and sensitive information across all sensory modes of everyday living activities [2]. The main 
worry with IoT systems is dealing with device security and data protection from assaults. Cyber-attacks are the 
cyberattacks express the intentional exploitation or unlawful access to the information of a specific person or 
the private infrastructure of another person or organization. It is not easy to protect IoT devices because of the 
hardware and protocols from attacks because they are directly exposed to devices over the internet; and 
resource limits on devices [3]. 

The term "bots" refers to a network of robots. Typically, a botmaster or attacker takes control of a 
computer by infecting it with a virus or malicious malware. The botmaster gains an access to the victim system 
in this manner. As a result, the infected machine will thereafter be controlled by the bot management and will 
carry out its directives. As a result, the bot manager can make use of this capability. The majority of the time, 
users of these devices are unaware that their systems are being remotely managed and abused [4]. When the 
target is directly attacked by a large number of infected systems, a bot attack occurs, causing the target systems 
to fail to service. Such attacks are planned and organized through the use of botnets to infect systems [5]. Since 
bot assaults are a severe and difficult problem, several solutions have been offered to combat them. In general, 
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there is no mechanism that can ensure that such assaults will not occur. Instead, there are simple ways of 
preventing repeated assaults and lessening the impact of other attacks [6]. 

Long-term memory, a recurrent neural network (RNN) development, was introduced by Hochreiter 
and Schmidhuber [7] to address the problems of defects in RNN by adding additional reactions per a unit (or 
cell). LSTMs are a special type of RNN that is capable of learning long term dependencies and remembers 
information for long periods of time as a default. The LSTM model is structured as a chain structure [8], [9]. 
The problem security typical for the IoT, as well as the purpose of gaining unauthorized access to the IoT [10]. 

The main goal is to develop an effective and dynamic action plan capable of detecting IoT attacks. 
The current study proposes, within the framework of its work, a special model that contributes to the discovery 
of botnet attacks and breaches that occur on IoT devices. Using the LSTM model, two well-known, common, 
and dangerous IoT attacks (Bashlet and Mirai). The current proposed model reveals four types of security 
cameras in this study. It contains data about attacks on devices connected to the IoT in suspicious packages 
collected in real time. The results were reasonably satisfactory. 

The current study has provided several concepts and strategies for protecting the IoT from the threats it 
faces. In this part, the present study has come over the works of earlier researchers on this topic. The author's 
study [11] intends to explore cyber security in the face of distribution denial of service (DDOS), binary intrusion 
detection system (B-IDS), and malware assaults. For botnet attack detection, he employed a variety of machine 
learning methods, including "support vector machine, naive Bayes, linear regression (LR), artificial neural 
network (ANN), decision tree, random forest, fuzzy classifier, K-nearest neighbor (K-NN), adaptive boosting, 
gradient boosting, and tree ensemble". These algorithms were evaluated for performance on nine sensor devices 
use network-based detection of IoT (N-BaloT) datasets to evaluate the intrusion finding the system security and 
accuracy. The results illustrate the tree-based algorithm which obtained more than 99% higher accuracy on the 
same sensor compared to other tested methods used sensors. Mohamed and colleagues used a “Bayesian 
optimization Gaussian process classification (BO-GP)” and "decision tree (DT)" model to identify botnet attacks 
on IoT devices [12]. The suggested optimized DT-based architecture enhanced accuracy, precision, recall, and F- 
score in experiments. It achieved values of 99.99%, 0.99, 1.00, and 1.00 for these four measures, respectively. 
Sriram employed numerous traditional machine learning (ML) classifier methods in his study [13], and the results 
of his experiments are shown in his publication. Yan and colleagues used three different ML algorithms for botnet 
attack detection in [14], including an ANN, a J48 decision tree, and Naive Bayes, with an overall detection 
performance of around 99%. 

Lee et al. [15] utilized four different machine learning algorithms on three different botnet attack 
datasets: Stratosphere lab at CTU-Prague (CTU-13), intrusion detection evaluation dataset (CIC-IDS2017), and 
IoT-23. Alkahtani and Aldhyani [16], Seungjin developed a strategy for botnet detection that combines honeypots 
and machine learning to characterize botnet assaults. The experimental findings indicated that the random forest 
method with the Weka machine learning application produced a high accuracy of more than 96% and a false 
positive rate of 0.24127. The study is divided into sections: the introduction and the relevant work in in this field, 
method in section 2 examines the botnet database on the IoT and goes over the LSTM that were employed in the 
present study and performance of network in identified IoT threats. Section 3 describes the outcome, whereas 
section 4 analyzes the study's findings. 


2. METHOD 
2.1. Botnet dataset 

Most of the researchers in the field of cyber-attacks and the IoT worked on internationally accredited 
databases for the purpose of scientific research [17]-[20]. The dataset used in this research was created using 
real network traffic and commercial IoT devices, which obtained from packages coming from different types 
of surveillance cameras used in homes and shops connected to the internet. Table 1 shows the security camera 
commercial devices that were utilized extracting network traffic which includes botnet assaults. The dataset 
contains two primary assaults, Mirai and Bashlite, with subtype attacks for each, as indicated in Table 2. 


Table 1. Devices which were used to develop dataset’ 
Device type Devices used in model 
Security camera Provision PT-737E 
Security camera Provision PT-838 
Security camera Simple Home XCS7-1002-WHT 
Security camera Simple Home XCS7-1003-WHT 
Security camera _ Samsung SNH1011N 
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Table 2. The type of botnet attacks 


Attacks name Sub attacks Description 
Bashlite Junk Sending spam data 
TCP flood Sending flood of request 
UDP Sending flood of request 
Scan Scans network for victim device 
COMBO Open connection IP address and network port 
Miai ACK Send flood of acknowledgment 
SYN Send synchronize packet flood 
Plain UDP UDP flood by optimizing sending packet per second 


UDP flood scan __ Scan the network for victim device 


2.2. Long-shorts term memory (LSTM) 

Memory of long-term in an artificial neural network which is used in many areas such as deep learning 
and artificial intelligence. In contrasting to the standard feed forward ANN, LSTM possesses feedback of 
connections. Such a model of a RNN to a process that is not only the dependent points of a single data but also 
is to the entire sequence of the data used [21]. 

LSTM states the analogy in a standard RNN which meant to contain both "long-term memory" and 
"short-term memory". Therefore, the network connectivity weights and biases change once per loop during 
train, similar to the physiological changes which occur in synaptic strengths which is called the “store long- 
term memories”. Activation patterns in the network is changed once for each time step [22], which is an 
analogous to the way in which a momentary change in electrical unlocking patterns. That occurs in the brain 
stores” short-term memories”. 

The LSTM architecture aims to provide a “short-term memory” for an RNN which can use and last 
for thousands of time steps, consequently “long short-term memory” [23]. A common of LSTM module 
consists of cells, “an output gate, an input gate, and a forget gate”. The cell remembers the values at random 
time for intervals while the three gates control the process of information flow which happens in and out of the 
cell [24]. 

The LSTM networks are suitable in many areas which includes “classifying, processing and making 
predictions” which based on time series data, where there can be multiple unknown delays that are between 
important events in a given time series. In fact, LSTMs were developed in order to deal with several problems 
including the problem of gradient fading that can be encountered in the case to train the traditional RNNs. 
Relative gap length sensitivity is one of the features of “LSTM over RNNs” and other sequential learning 
methods used in many fields and applications [25]. 

The small variables represent vectors in the next equations. Matrices WE, and IN, contain, 
correspondingly, the values of input weights and values of the frequent connections, where there is a 
lowq which can be either the input gate ig , output gate og , the forget gate fo or the memory cell c , according 
to the current account activation. The study uses in this section, ‘vector of notation’ [26]. In order to calculate 
the aggregate numbers, that found in the equations of the forward-passing LSTM cell with the forget gate used, 
according formulas have been used [24], [27]: 


fo, = Og (WE;, xing + INgo hit-1 + deo ) (1) 
19t = Oy (WEjg xing + INig hiz_-1 + dig (2) 
O9t = Oy (WEgg xing + INog Nit-1 + Dog ) (3) 
cit = 0, (WE, xing + IN, hiz_y + be ) (4) 
Ce = foe OCt-1 + ige © cit (5) 
hig = 09 © Oni (Cr) (6) 


where the initial values are used cy = 0 and hig = 0. It shows the operator © used to the Hadamard product 
(element-wise product). The time step is indexed by the subscript t. The following Table 3 shows the symbols 
used in the above equations. 
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Table 3. The notation of equations 


Symbol 


Meaning of symbol 


xin 
fo 

ig 

0g 
hi 
ci 


Input vector 

Forget gate 

Input / update gate 

Output gate 

Hidden state 

Cell input 

Cell state 

Bias value 

The sigmoid function 

The hyperbolic tangent function 
The hyperbolic tangent function 


3. EXPERIMENTAL RESULTS 


m) 403 


In this part of the paper, the steps of the model that was built and the analysis and presentation of the 
results were explained. After performing the initial processing on the data, it is sent to the LSTM network 
whose details are described in the previous part. The results obtained can determine whether it is a type of 
botnet attack or is it just an ordinary packet. As shown in Figure | illustrates the work of the proposed model. 


Datasets Dataset Splition 


f x = Data Preprocessing & Features Extraction - — — — 


an 


Figure 1. Methodology for botnet attacks detection 


Features Extraction 


Dataset Labelling 


Features Selection 


Model Training 


Botnet Detection 


The evaluation metrics to evaluate the system for detection of botnet assaults, accuracy, recall, 
precision, and Fl-score metrics were used. The following are: 


Accuracy = aD x 100% 
precision = an x 100% 
sensitivity = aE x 100% 
recall = aN x 100% 


fl-—score=2x 


(precisionxsensitivity) 


x 100% 


(precision+sensitivity) 


(7) 


(8) 


(9) 


(10) 


(1) 


wherever true positif (TP) states true positive that false positif (FP) is false positive, true negative (TN) stands 
for true negative, and false negative (FN) refers to false negative. In this research, work on four types of special 
security cameras, which are considered as types of internet of things devices, and verifying the possibility of 
being exposed to attacks called botnets, and examining the effectiveness of the firefly algorithm in detecting 
botnet attacks against internet of things devices. The types of cameras used are: provision PT-737E, Provision 
PT-838, simple home XCS7-1002-W and simple home XCS7-1003-WHT. The results of the experiment 
showed that the presented system was good and acceptable based on the evaluation metrics as shown in the 


Table 4. 
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Table 4. The model performances detect botnet attacks from for types of camera as IoT devices 


Camera types Accuracy Precision Recall _ Fl-score 
Provision PT-737E 94.27 96.57 96.21 96.38 
Provision PT-838 92.46 99.60 94.73 97.10 
Simple Home XCS7-1002-W 94.57 97.33 95.88 96.59 
Simple Home XCS7-1003-WHT _ 94.57 99.68 96.22. 97.91 


4. CONCLUSION 

In this study, LSTM has considered a deep learning architecture that depends on an artificial recurrent 
neural network. LSTMs have a viable solution for problems including sequences and time series. In addition, 
LSTM is useful in time series prediction because of its feature to remember the previous inputs used to detect 
botnet attacks that affect devices used in internet of things systems, and through the results the algorithm proved 
that it is efficient and flexible in dealing with data in addition to its efficiency in the detection. The proposed 
model in this paper works to detect attacks on four types of security cameras. It contains data about attacks on 
devices connected to the internet of things in suspicious packages collected in real time. According to 
assessment metrics, the experiment results demonstrated that the suggested system performed well. The 
suggested system for identifying the botnet which is used on the provision PT-737E camera revealed the 
following results: accuracy: 94.27%, recall: 96.57%, and F1 score: 96.38%. Thus, the system results in 
classifying the botnet attacks the Provision PT-838 camera were 92.46% for accuracy, 94.73% for recall and 
97.10% for f1 score. The results for simple home XCS7-1002-W were 94.57% accuracy, 95.88% for recall and 
96.59% for f1 score. The results for simple home XCS7-1003-WHT were 94.57% accuracy, 96.22% for recall 
and 97.91% for f1 score. 
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